UK announces fine to mandate cybersecurity for CNI companies

With increasing regulations, how can you stay ahead of constantly evolving cyber threats?

22 August, 2017

The UK is proposing a hefty fine for critical national infrastructure (CNI) companies that fail to protect against loss of service due to cyberattacks.[1] For companies that do not comply with the new regulations, the fine could be as high as £17 million, or up to four percent of annual turnover.

Among other criteria, the fine would be assessed against companies that fail to:

Develop a strategy and policies to understand and manage their cybersecurity risks

Implement security measures to detect and prevent attacks or system failures

Deploy security monitoring

Take steps to raise staff awareness and require training

Assess their risks adequately or take appropriate security measures

The proposed measures will also cover threats affecting IT such as power and hardware failures and environmental hazards. This mandate comes on the heels of the EU’s impending General Data Protection Regulations (GDPR), which sets guidelines for how sensitive data should be protected. While GDPR focuses more on data loss prevention, this proposed legislation shifts the focus to comprehensive cybersecurity resilience and preparedness.

The legislation will help strengthen the security standards of industries that operate critical infrastructure that people depend upon. UK companies that operate electricity, transport, water, energy, health and digital infrastructure will be forced to take necessary measures to meet the challenges presented by modern cyber threats.

This proposal comes just months after several organisations in the United Kingdom fell victim to global cyberattacks including WannaCry – a ransomware campaign that held more than one million computer systems hostage – and Petya – the wiper attack that destroyed files on machines in more than 60 countries.

This fine will address the changing dynamics of the nation’s CNIs. As they move towards increasingly connected large networks that allow for monitoring and remote automated control via computer networks, the potential for cyberattacks rises.

According to a report released by the UK government, cyberattacks on CNIs can be motivated by financial gain (e.g. by ransom), to manipulate public opinion, demonstrate an attacker’s prowess, conduct espionage or cause physical disruption.[2] Potential attackers range from individuals and activists with limited capability to organised crime groups and nation-states with significant expertise and resources.

The report also notes that foreign states or state-sponsored groups regularly attempt to penetrate UK networks, specifically targeting the defence, finance, energy, telecommunications and government sectors.

Is your company prepared for similar legislation? Here are some measures you can take to boost your cybersecurity:

Encryption – store sensitive data that is only readable with a digital key

Integrity checks – regularly check for any changes to system files

Network monitoring – use tools to help you detect for suspicious behaviour

Although cybersecurity regulations will require significant effort for the companies that are affected, this new legislation by the UK government demonstrates that they understand the severity of cyber threats in today’s digital world and the destruction they can cause, if undeterred.

Even if you’re not a CNI, cyber threats should concern you. With cybercriminals constantly adjusting their tactics, it is imperative that companies never stop defending themselves by constantly improving and expanding their cybersecurity practices. Managed detection and response (MDR) and incident response planning are common ways companies can stay ahead of their attackers.

MDR is an all-encompassing cybersecurity service used to detect and respond to cyberattacks. Using the best of signature, behavioral and anomaly detection capabilities, along with forensic investigation tools and threat intelligence, human analysts hunt, investigate and respond to known and unknown cyber threats in real time, 24x7x365.

eSentire Media Contacts

Eldon Sprickerhoff

Founder & Chief Security Strategist

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.